<p>
The primary expression
</p>

<pre>
a[low : high : max]
</pre>

<p>
constructs a slice of the same type, and with the same length and elements as the simple slice
expression <code>a[low : high]</code>. Additionally, it controls the resulting slice's capacity
by setting it to <code>max - low</code>. Only the first index may be omitted; it defaults to 0.

pkg syscall (netbsd-arm64-cgo), const IP_PORTRANGE_HIGH ideal-int
pkg syscall (netbsd-arm64-cgo), const IP_PORTRANGE ideal-int
pkg syscall (netbsd-arm64-cgo), const IP_PORTRANGE_LOW = 2
pkg syscall (netbsd-arm64-cgo), const IP_PORTRANGE_LOW ideal-int
pkg syscall (netbsd-arm64-cgo), const IPPROTO_AH = 51
pkg syscall (netbsd-arm64-cgo), const IPPROTO_AH ideal-int
pkg syscall (netbsd-arm64-cgo), const IPPROTO_CARP = 112

A security issue was discovered in Kubernetes that could allow  Windows workloads to run as `ContainerAdministrator` even when those workloads set the `runAsNonRoot` option to `true `.

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

- kubelet v1.20 - v1.21

pkg syscall (darwin-arm64), const IPV6_PORTRANGE_HIGH = 1
pkg syscall (darwin-arm64), const IPV6_PORTRANGE_HIGH ideal-int
pkg syscall (darwin-arm64), const IPV6_PORTRANGE_LOW = 2
pkg syscall (darwin-arm64), const IPV6_PORTRANGE_LOW ideal-int
pkg syscall (darwin-arm64), const IPV6_RECVTCLASS = 35
pkg syscall (darwin-arm64), const IPV6_RECVTCLASS ideal-int
pkg syscall (darwin-arm64), const IPV6_RTHDR_LOOSE = 0

A security issue was discovered in Kubernetes that could allow  Windows workloads to run as `ContainerAdministrator` even when those workloads set the `runAsNonRoot` option to `true `.

This issue has been rated low and assigned CVE-2021-25749

**Am I vulnerable?**

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

**Affected Versions**:

* Bug fixes

  * Changed Kubelet default image-gc-high-threshold to 85% to resolve a conflict with default settings in docker that prevented image garbage collection from resolving low disk space situations when using devicemapper storage. ([#40432](https://github.com/kubernetes/kubernetes/pull/40432), [@sjenning](https://github.com/sjenning))

to ensure that autoscaling can occur optimially in all clusters,
within a set of global constraints on the total number of replicas
permitted across all clusters.  If replicas are not
required in some clusters due to low system load or insufficient quota
or capacity in those clusters, additional replicas are made available
to the autoscalers in other clusters if required.

### Node Components

#### Autoscaling and Metrics

A security issue was discovered in Kubernetes that could allow  Windows workloads to run as `ContainerAdministrator` even when those workloads set the `runAsNonRoot` option to `true `.

This issue has been rated low and assigned CVE-2021-25749

### Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with `runAsNonRoot` are impacted

#### Affected Versions

- Updated kubelet CLI summary documentation and generated webpage ([#73256](https://github.com/kubernetes/kubernetes/pull/73256), [@deitch](https://github.com/deitch))
- Set a low `oom_score_adj` for containers in pods with system-critical priorities ([#73758](https://github.com/kubernetes/kubernetes/pull/73758), [@sjenning](https://github.com/sjenning))

**Fixed Versions**:
  - kube-apiserver v1.29.4
  - kube-apiserver v1.28.9
  - kube-apiserver v1.27.13

This vulnerability was reported by tha3e1vl.


**CVSS Rating:** Low (2.7) [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

## Changes by Kind

### Feature

- Kubernetes is now built with go 1.21.9